An unpopular opinion about Cybersecurity job interviews

Who else loves 5-6 hour interview loops?! 🔂

Sep 26, 2024

Welcome back!

Thanks for sticking with me.

This issue dives right into my unpopular opinion on Cybersecurity job interviews and my perspective, given my experience with several.

Let’s get into it!

Quick Disclaimers

I'm not a fan or advocate of unnecessarily long interviews or pointless take-home assignments that feel like unpaid work 👎🏽.
I've interviewed for roles at Amazon/AWS ($dayjob), Google, OpenAI, Crowdstrike, Benchling, Cisco, Datadog, Intel, Alchemy, Reddit, American Express, and several others. I got offers from some and didn’t make it through for some others 🤷🏽‍♂️.
In some cases, the interview didn't match the role's complexity, and I may have experienced bias based on what I later learned about other candidates' experiences. But that's beside the point.
I'm not a hiring manager, so this opinion doesn't benefit me personally.
I'm referring to cybersecurity roles with certain levels of complexity, ownership expectations, and core business or product functions.
My perspective comes from securing my current role and other interviews where the complexity matched both the role and the compensation.
All opinions expressed are mine & NOT those of my previous, current, or future employers.

😮‍💨 Phew, with all that out of the way, let’s go into this issue.

I've seen posts claiming,

"If you can't determine if a person is the right candidate after 3 interviews <insert accusation here>".

I slightly disagree with this stance in some cases.

Follow me here, let me explain.

Compensation

Let's start with the financial aspect.

🤑 Many of these roles offer six-figure salaries or even multiple six-figures. Regardless of a company's valuation, no hiring manager would allocate such a substantial budget without thorough vetting or a trusted recommendation (SN: referrals are the name of the game!).

Also, given the recent economic downturn, thorough vetting processes have become even more important. Companies are increasingly cautious about hiring decisions, aiming to ensure that each new hire brings significant value to the organization. This economic climate has led to:

Increased scrutiny of candidates' skills and experience
A focus on hiring versatile professionals who can adapt to changing business needs
Greater emphasis on candidates who can demonstrate immediate impact and long-term potential

Regardless of budgets ranging from hundreds of thousands to millions of dollars annually for these positions, companies need to ensure they're making the right hiring decisions.

I share some compensation breakdowns in this video:

Trust

If you're handling production systems, sensitive information, or organizational security, it's ultimately a trust-based arrangement 🫂.

Beyond typical background checks, how do you build trust with a stranger? Three interviews might not suffice in some cases.

Also, the complexity of cybersecurity roles often requires a multifaceted evaluation process that may involve:

Technical assessments to evaluate hands-on skills
Scenario-based interviews to gauge problem-solving abilities
Behavioral interviews to assess cultural fit and soft skills
Security clearance checks for sensitive positions
Presentations or case studies to demonstrate communication skills

I believe that diversity in the interview panel may help with this. Different interviewers can assess various aspects of a candidate's skills and fit. This approach ensures a more comprehensive evaluation, reducing the risk of overlooking key qualities or potential red flags.

Moreover, because interviews are a two-way street, they allow candidates to interact with a broader range of potential colleagues, giving them a better sense of the team and company culture while demonstrating their technical prowess, problem-solving abilities, and cultural fit within the organization.

Time

“Time is money or whatever they said.”

Okay, that’s irrelevant to this portion of the newsletter. Sorry.

⌛️ Interviews typically last at least an hour, sometimes even 30 minutes, which is often barely enough. Between questions, answers, follow-up questions, and the interviewee’s inquiries, an hour flies by. SO FAST 🏃🏾‍♂️💨.

Additionally, the complexity of cybersecurity topics often requires in-depth discussions and scenario-based questions, which can easily consume an hour or more. This is especially true when dealing with technical concepts or exploring a candidate's problem-solving approach in real-world situations.

Teams

☦️ Finally, there are cross-functional (XFN) teams to consider.

Between the hiring manager, team engineers, other relevant engineers, possibly a product manager, and a coding round, there's a lot to cover. As an interviewee, even though uncomfortable, I wouldn't want to rush through just three rounds if they don’t cover the job's necessities. I want ample time to showcase my best self.

As stated previously, the interview process serves as a two-way street and should allow the candidate to thoroughly assess the company, team dynamics, and potential growth opportunities while also ensuring that both parties can make informed decisions. This leads to better long-term outcomes, reduced turnover rates, and ultimately, job satisfaction for both the interviewers and interviewees!

Isn’t that just perfect 🥹

pls don’t overdo it

That being said, it's the company's responsibility to keep candidates informed about the hiring process promptly, not overcomplicate the process, and not waste the candidate’s time 🙄.

For lengthy interviews (like 5-6 hour loops), it's important to provide short breaks. I've been fortunate to have great experiences where interviewers allowed brief 5-10 minute breaks between sessions and also gave me a lot of grace, knowing I’d been interviewing for hours.

We’re all humans, after all. Right? Right? 👾

This is my personal view. I'm happy to go through reasonably long interview processes to present myself effectively, especially when the compensation, team, and job are worth it.

Cybersecurity Jobs

🐆 Panther has a new Security Engineering Job Board with various roles.

🎥 Netflix is hiring for multiple security roles.

🐈‍⬛ GitHub is hiring for an Incident Response Analyst role.

🛫 Delta Airlines is hiring for an IT Security Intern role.

🏰 Oracle is hiring for a Security Analyst role.

🦅 Crowdstrike is still hiring for multiple security roles.

🏡 Airbnb is still hiring for multiple security roles.

🪟 Microsoft is still hiring for multiple security roles.

🐕 Datadog ($formeremployer) is still hiring for multiple security roles.

🐺 Huntress is still hiring for a couple of security roles.

🛡️ Binary Defense is hiring for a Cybersecurity Engineer role.

☁️ AWS ($dayjob) is still hiring for multiple security roles.

🏦 CITI is still hiring for multiple security roles.

Recent Content

Everything you need to know to become a Splunk Power User!

Reflecting over the last 6 months of my transitioning from a Cloud Threat Detection Engineer at Datadog to a Security Incident Response Engineer at Amazon.

A conversation with Dennis Chow, an experienced security engineer and manager who has led global security teams in multiple Fortune 500 industries. Dennis started from an IT and security analyst background, working his way up to engineering, architecture, and consultancy in blue and red team-focused roles. Dennis is also a former AWS professional services consultant who focused on transforming security operations for clients and holds GIAC Security Expert (GSE) #288.

This is also available on Spotify & Apple Podcasts.